diff options
author | Gerd Hoffmann <kraxel@redhat.com> | 2016-02-16 14:25:00 +0100 |
---|---|---|
committer | Dave Airlie <airlied@redhat.com> | 2016-02-17 14:16:06 +1000 |
commit | 34855706c30d52b0a744da44348b5d1cc39fbe51 (patch) | |
tree | d50651f76c1b1c644dd5be5b96581e35514ddef4 /drivers/gpu/drm/qxl | |
parent | e8f051e9d8fe15d71d8d47c0d878d51bf5f864ad (diff) |
drm/qxl: use kmalloc_array to alloc reloc_info in qxl_process_single_command
This avoids integer overflows on 32bit machines when calculating
reloc_info size, as reported by Alan Cox.
Cc: stable@vger.kernel.org
Cc: gnomes@lxorguk.ukuu.org.uk
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Diffstat (limited to 'drivers/gpu/drm/qxl')
-rw-r--r-- | drivers/gpu/drm/qxl/qxl_ioctl.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c index 2ae8577497ca..7c2e78201ead 100644 --- a/drivers/gpu/drm/qxl/qxl_ioctl.c +++ b/drivers/gpu/drm/qxl/qxl_ioctl.c @@ -168,7 +168,8 @@ static int qxl_process_single_command(struct qxl_device *qdev, cmd->command_size)) return -EFAULT; - reloc_info = kmalloc(sizeof(struct qxl_reloc_info) * cmd->relocs_num, GFP_KERNEL); + reloc_info = kmalloc_array(cmd->relocs_num, + sizeof(struct qxl_reloc_info), GFP_KERNEL); if (!reloc_info) return -ENOMEM; |